WO2006040895A1 - 中継装置、中継方法および中継プログラム並びにネットワーク攻撃防御システム - Google Patents
中継装置、中継方法および中継プログラム並びにネットワーク攻撃防御システム Download PDFInfo
- Publication number
- WO2006040895A1 WO2006040895A1 PCT/JP2005/016666 JP2005016666W WO2006040895A1 WO 2006040895 A1 WO2006040895 A1 WO 2006040895A1 JP 2005016666 W JP2005016666 W JP 2005016666W WO 2006040895 A1 WO2006040895 A1 WO 2006040895A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- signature
- priority
- storage means
- packet
- suspect
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/56—Routing software
Definitions
- Relay device Relay device, relay method, relay program, and network attack defense system
- the present invention relates to a relay apparatus, a relay method, a relay program, and a network attack defense system that control the passage of a packet on a network based on a signature for controlling the passage of the packet.
- the upstream or downstream relay device is a relay device having an adjacent relationship (hereinafter referred to as an adjacent relay device) and is a relay device for a direction in which an attack suspected packet flows. Then, the relay device that has received the suspect signature above transmits the suspect signature received from the downstream relay device to the upstream relay device and limits the transmission bandwidth of the attack suspect packet identified by the suspect signature. I do.
- the relay device sets a normal condition for identifying a communication packet transmitted from a communication terminal used by a legitimate user (that is, a condition for a normal packet that is not considered an attack). Processing to transmit to the upstream relay device, generate a normal signature to identify the normal packet based on the normal condition and suspect signature, and then release the transmission bandwidth restriction of the normal packet identified by the normal signature I do . Further, the relay device that has received the normal condition as described above transmits the received normal condition to the upstream relay device, generates a normal signature based on the normal condition and the suspect signature, and is subsequently identified by the normal signature. Performs processing to release the transmission bandwidth limit for regular packets.
- the relay device performs the process of limiting the transmission band of the suspected attack packet and the process of canceling the transmission band restriction of the regular packet, but performs the process.
- the filter section That is, the filter unit of the relay apparatus puts a packet that matches the condition determination process using the normal signature into a predetermined queue, and then performs a condition determination process using the suspect signature for a packet that does not match the normal signature.
- Patent Document 1 Japanese Patent Laid-Open No. 2003-283554
- the present invention has been made to solve the above-described problems of the prior art, and a relay device capable of processing packets in a desired order when there are a plurality of signatures. It is an object to provide a relay method, a relay program, and a network attack defense system.
- the invention according to claim 1 has a signature storage means for storing a signature for controlling the passing of packets, and the signature storage means has the signature storage means.
- a relay device on the network that controls the passage of packets based on the stored signature, and a priority determination granting means for determining the priority order for the signature stored in the signature storage means; In order of the priority determined by the priority determining means, a packet is selected in order from the signature storage means, and packet control is performed for controlling the passage of the packet based on the selected signature. And a means.
- the signature storage means is an automatically generated signature automatically generated by a predetermined condition determination and a setting set by an administrator of the network
- the priority order determining means stores the automatically generated signature and the set signature stored in the signature storage means, so that the set signature is higher than the automatically generated signature.
- V It is characterized by giving priority.
- the signature storage means stores a plurality of signatures for restricting passage of the packet within a predetermined range
- the priority storage means The order determining means is characterized in that the restriction range is strict and a higher priority is given to the signature for the plurality of signatures stored in the signature storage means.
- an attack suspect packet is detected based on a predetermined attack suspect detection condition, and an suspect signature for limiting the attack suspect packet is generated.
- a signature generation means and when the suspect signature is generated by the suspect signature generation means, the priority determination means assigns a priority to the suspect signature and stores it in the signature storage means. To do.
- the invention according to claim 5 is the above invention, further comprising a normal signature generation means for generating a normal signature for permitting a legitimate packet based on a predetermined normal condition, and determining the priority order.
- the means is characterized in that, when a normal signature is generated by the normal signature generation means, priority is given to the normal signature and stored in the signature storage means.
- an illegal packet is detected based on predetermined illegal traffic detection conditions, and an illegal signature is generated to limit the illegal packet.
- the priority order determination means assigns a priority to the illegal signature and stores it in the signature storage means when the illegal signature is generated by the illegal signature generation means.
- the invention according to claim 7 includes, in the above invention, signature receiving means for receiving suspect signatures for limiting attack suspected packets by other relay device power, and the priority order determining means includes: When a suspect signature is received by the signature generating means, priority is given to the suspect signature and stored in the signature storage means.
- the invention according to claim 8 is the above-described invention, wherein a normal signature for generating a normal signature for permitting a valid packet based on a predetermined normal condition received from the other relay device is provided.
- Generating means and when the normal signature is generated by the normal signature generating means, the priority determining means assigns a priority to the normal signature and stores the priority in the signature storage means. .
- the invention according to claim 9 is the above invention, further comprising signature input means for accepting and inputting the signature by the network administrator, and the priority order determining means is input by the signature input means.
- priorities are assigned to the signatures and stored in the signature storage means.
- the invention according to claim 10 has a signature storage means for storing a signature for controlling the passage of the packet, and the passage of the packet is based on the signature stored in the signature storage means.
- a network attack defense system to be controlled the priority order determination giving means for determining the priority order for the signature stored in the signature storage means, and the priority order determined by the priority order determination means in descending order.
- Packet control means for selecting a signature from the signature storage means and controlling passage of the packet based on the selected signature.
- the invention according to claim 11 has signature storage means for storing a signature for controlling the passage of the packet, and controls the passage of the packet based on the signature stored in the signature storage means.
- a relay method in a device on the network which determines a priority order for a signature stored in the signature storage means, and a priority order determination giving step, and a priority order determined by the priority order determination step is high. In order, a signature is selected from the signature storage means, and the selected signature is selected. And a packet control step for controlling the passage of the packet based on the channel.
- the signature storage means is an automatically generated signature automatically generated by a predetermined condition determination and a setting set by an administrator of the network
- the automatic generation signature and the setting signature stored in the signature storage means have a higher priority than the automatic generation signature in the set signature. It is characterized by giving.
- the signature storage means stores a plurality of signatures for restricting passage of the packet within a predetermined range
- the priority storage means The order determining step is characterized in that a plurality of signatures stored in the signature storage means give a higher priority to the signature because the limit range is strict.
- a signature for controlling the passage of the packet is stored in the signature storage means, and the packet is allowed to pass through the V based on the signature stored in the signature storage means.
- a packet control procedure for controlling the passage of the packet is stored in the signature storage means, and the packet is allowed to pass through the V based on the signature stored in the signature storage means.
- the signature storage means is an automatically generated signature automatically generated by a predetermined condition determination and a setting set by an administrator of the network
- the priority determination procedure is performed by the automatic generation signature and the setting signature stored in the signature storage means, so that the set signature is higher in priority than the automatic generation signature. It is characterized by giving.
- the signature storage means is Storing a plurality of signatures for restricting the passage of the packet within a predetermined range, wherein the priority order determining procedure is based on the plurality of signatures stored in the signature storage means. It is characterized by giving a high priority to the signatures.
- the priority order is determined for the signatures stored in the signature storage unit, and the signatures are selected in descending order of priority. Since the passage of the packet is controlled based on the selected signature, it is possible to process the packets in a desired order when there are a plurality of signatures.
- a plurality of signatures for restricting the passage of packets within a predetermined range are given higher priority to a signature having a severe restriction range. As a result, it is possible to process packets more reliably without causing inconsistencies in packet control. .
- the suspect signature is generated and the priority of the suspect signature is determined when the attack suspect packet is detected, the suspect signature generated when the attack suspect bucket is detected can be reduced. Priorities can be assigned without delay.
- a normal signature is generated and the priority of the normal signature is determined, so that the normal signature generated at the time of detecting an attack suspect bucket is added. Priorities can be assigned without delay.
- the priority of the suspect signature is determined, so that the suspect signature received from another relay device can be transmitted without delay. Priorities can be assigned.
- the priority of the signature is determined, so that the priority set to the signature set by the network administrator can be given without delay. It becomes possible to grant.
- FIG. 1 is a system configuration diagram showing a configuration of a network attack defense system.
- FIG. 2 is a block diagram showing a configuration of the relay device.
- FIG. 3 is a diagram showing an example of information stored in an attack suspect detection condition table.
- FIG. 4 is a diagram showing an example of information stored in an unauthorized traffic detection condition table
- FIG. 5 is a diagram showing an example of information stored in a normal condition table.
- FIG. 6 is a diagram illustrating an example of information stored in a signature list.
- FIG. 7 is a flowchart showing a processing procedure when an attack suspect packet is detected.
- FIG. 8 is a flowchart showing a processing procedure when receiving a signature.
- FIG. 9 is a flowchart showing a processing procedure when an illegal packet is detected.
- the “suspect signature” used in this embodiment is a signature for restricting a packet suspected of attack (attack suspect packet).
- the attribute indicates the characteristics of an attack suspect packet that is restricted from passing. (For example, destination IP address, protocol, destination port number, etc.) and restrictions (for example, restriction information for limiting the bandwidth when a specific packet flows in) are specified.
- the "regular signature" used in the present embodiment refers to the passage of a regular packet (a regular packet that is a regular user communication packet) that is not considered an attack because of the power of the packet corresponding to the suspect signature. Specifically, it defines the attributes (for example, source IP address, service type, destination IP address, protocol, destination port number, etc.) that indicate the characteristics of regular packets that are allowed to pass through. Configured.
- the "illegal signature" used in this embodiment is a signature for restricting illegal packets (packets satisfying illegal traffic) included in illegal traffic. Specifically, illegal packets Source IP address etc. are defined. [0040] [System Overview and Features]
- FIG. 1 is a system configuration diagram showing the configuration of the network attack defense system according to the present embodiment.
- the network attack defense system 100 includes a plurality of relay devices 10 on a network. Further, on this network, a server 20 as a computer subject to a DoS attack or a DDoS attack and a communication terminal 30 as a computer capable of performing such a DoS attack or a DDoS attack are connected.
- a server 20 as a computer subject to a DoS attack or a DDoS attack
- a communication terminal 30 as a computer capable of performing such a DoS attack or a DDoS attack
- the server 20 when described as —1 or server 20—2 and each communication terminal 30 is distinguished, it will be described as communication terminal 30-1 to communication terminal 30-5.
- the relay device 10 is configured such that at least one of the communication terminals 30 performs a DoS attack or a DDoS attack on the server 20 on the network.
- a signature for controlling the passage of the packet is generated, and a normal signature for permitting the passage of the packet is generated.
- the relay device 10 registers the signatures (suspect signatures, fraudulent signatures, and regular signatures) generated by the relay device 10 in the signature list.
- the relay device 10 transmits the generated suspect signature (further, the normal condition used for generating the normal signature) to the adjacent relay device.
- the relay device 10 when receiving the adjacent relay device capability suspect signature, etc., the relay device 10 generates a normal signature based on the normal condition, and at the same time, generates the received suspect signature and the generated normal signature.
- Register with Yalist As an example of the adjacent relay device, in FIG. 1, the adjacent relay devices in the relay device 10-3 are the relay device 10-1, the relay device 10-2, the relay device 10-4, and the relay device 10—. 7 and there is no adjacency relationship with the relay device 10-5 and the relay device 10-6. This adjacency relationship does not mean physical adjacency.
- Sarako relay device 10 receives a setting instruction for signatures (suspect signature, fraudulent signature, and regular signature) from the network administrator, registers the signature related to the setting instruction in the signature list, and has already registered the signature list. For the signatures registered in the signature list, the network administrator also accepts correction instructions, and registers the corrected signatures in the signature list.
- the signature registered in the signature list by the network administrator's setting instructions and correction instructions is defined as the “setting signature”, and the relay device 10 generates the signature list itself and adds it to the signature list.
- the registered signatures and those registered in the signature list after receiving the adjacent relay device power are defined as “auto-generated signatures”.
- the relay device 10 registers the suspect signature, the illegal signature, and the regular signature in the signature list. Then, the relay device 10 controls the passage of the packet based on the strong signature list. In other words, with regard to packets that fall under illegal or suspect signatures, the transmission bandwidth is limited or discarded, and packets that fall under normal signatures or packets that do not fall under any of the signatures are discarded. Allow passage without restricting.
- the relay apparatus 10 in the present embodiment is mainly characterized in that priority is given to the signatures registered in the signature list. Specifically, when the relay device 10 controls the passage of a packet, the relay device 10 performs a process of determining whether the packet corresponds to one of the signatures registered in the signature list. Select the signatures in descending order of priority (priority) from the strengths of the signatures registered in the signature list to determine whether or not the force is appropriate for the selected signature, and based on the corresponding signature. To control the packet. This makes it possible to process packets in the desired order even when there are multiple signatures.
- the relay device 10 is a device for relaying packets while defending against attacks, and may function as a router or a bridge, for example. Further, the relay device 10 may be connected to a management network for managing the relay device 10 and the like, and the signature may be transmitted / received via the management network.
- FIG. 2 is a block diagram showing the configuration of the relay device 10.
- the relay device 10 includes a network interface unit 11, a packet acquisition unit 12, an attack detection unit 13 (as well as an attack suspect detection condition table 13a, an illegal traffic detection condition table 13b, and a normal condition table. 13c), a signature communication unit 14, a priority determination unit 15, a filter unit 16 (and a signature list 16a), and an input unit 17.
- the relay device 10 includes a CPU (Central Processing Unit), a memory, a hard disk, and the like.
- the packet acquisition unit 12, the attack detection unit 13, the signature communication unit 14, the priority order determination unit 15, and the filter unit 16 May be a module of a program processed by the CPU.
- the module of this program may be processed by one CPU, or may be distributed and processed by a plurality of CPUs.
- the relay device 10 may be installed with a general-purpose OS such as Linux, and the packet filter provided in the general-purpose OS may function as the filter unit 16.
- the attack detection unit 13 corresponds to “suspect signature generation means”, “regular signature generation means”, and “illegal signature generation means” described in the claims, and the signature communication unit 14 is also “
- the priority determination unit 15 corresponds to the “priority determination unit”
- the filter unit 16 also corresponds to the “packet control unit”
- the signature list 16a also corresponds to the “signature storage unit”.
- the input unit 17 also corresponds to “signature input means”.
- a network interface unit 11 is a means for transmitting and receiving packets to and from a communication device connected to a network.
- a network Specifically, a LAN (Local Area Network) or a WAN (Wide Area Network) or the like is used.
- Network connection card for connecting to other networks.
- the input unit 17 is an input means for accepting various information and instructions as input by the network administrator.
- the input unit 17 includes a keyboard, a mouse, a microphone, and the like, and is newly registered in, for example, a signature list 16a described later. Accepts and inputs signature setting instructions, already registered signature correction instructions, and deletion instructions.
- a monitor or display, touch panel
- the relay device 10 may be configured by providing output means for outputting various types of information.
- the packet acquisition unit 12 is a processing unit that acquires a packet received by the network interface unit 11 and provides statistical information about the acquired packet statistics to the attack detection unit 13.
- the attack detection unit 13 is a processing unit that performs attack detection and attack analysis based on the statistical information provided by the packet acquisition unit 12, and as shown in FIG. 2, detects attack suspects. It is connected to the condition table 13a, the illegal traffic detection condition table 13b, and the regular condition table 13c, respectively.
- the contents of processing by the attack detection unit 13 will be explained.
- FIG. 3 shows information stored in the attack suspect detection condition table 13a, more specifically, “attack suspect” used to detect an attack suspect packet in which the received packet may be an attack packet. It is a figure which shows an example of "detection conditions.” As shown in the figure, the attack suspect detection condition is composed of multiple sets (three sets in this case) of records that have a combination of detection attributes, detection thresholds, and detection intervals. If the traffic matches one of the record conditions, the traffic communication packet is recognized as a suspected attack packet. The number is used for convenience to identify the record.
- the attribute of the IP header part included in the IP packet or the attribute of the TCP header part or UDP header part included in the payload part of the IP packet is specified. .
- the record detection attribute of number 3 is specified by the attribute “19 2.168.1.0/24” of “DestinationIPAddress (destination IP address)”.
- the "detection threshold" of the attack suspect detection condition is a minimum transmission band for detecting traffic of a received packet having a detection attribute specified in the same record as attack suspect traffic.
- the “detection interval” in the attack suspect detection condition also specifies the minimum continuous time.
- the value of “DestinationlPAddress (destination IP address)” is unconditional (any), and “Protocol ( You may specify a set of attribute values for which "protocol”) is "ICMP (internetControlMessageProtocol)".
- FIG. 4 shows an example of the information stored in the unauthorized traffic detection condition table 13b, more specifically, an example of the “illegal traffic condition” used for detecting the unauthorized traffic based on the traffic power of the attack suspected packet.
- the illegal traffic condition is also considered to be illegal traffic if the traffic pattern power of the known D DoS attack is also configured and matches the traffic pattern of any of the suspected attack packets. Be recognized. The number is used for convenience to specify the record (pattern).
- the illegal traffic condition of number 1 indicates a traffic pattern that “the transmission band is Tl Kbps or more and packets are continuously transmitted for S 1 seconds or more”.
- the traffic traffic condition of No. 2 indicates a traffic pattern that “the transmission band T2 Kbps or more and the echo response (EchoReply) message packet on ICMP (Internet Control Message Protocol) is continuously transmitted for S2 seconds or more”.
- the illegal traffic condition of number 3 is “Transmission bandwidth T3Kbps or more, and the data contained in the packet is divided into multiple IP buckets because the data is too long. "V, RU", showing the traffic pattern.
- FIG. 5 shows an example of “normal conditions” representing information stored in the normal condition table 13c, more specifically, a packet transmitted from the communication terminal 30 used by a legitimate user! FIG.
- the normal condition is composed of a plurality of records consisting of pairs of attributes in the IP packet and those attribute values. The number is used for convenience to identify the record (pattern).
- the source IP address of the server 20 to be protected such as the branch of the server owner's company or an affiliated company, is set, and the server 20 is accommodated!
- the source IP address of the network that the owner recognizes as an authorized user is set.
- the attack detection unit 13 detects the detection of an attack based on the statistical information provided by the packet acquisition unit 12, the attack suspected traffic communication packet (attack suspect packet) Generate a suspect signature to limit Specifically, the attack detection unit 13 continuously transmits a transmission band that is longer than the time specified by the detection interval and longer than the time specified by the detection threshold according to the attack suspect detection condition shown in FIG. The traffic that matches the detected attribute is checked, and if it matches any of the records, this traffic is detected as suspected traffic, and the attack detected at this time The detection attribute of the record of the attack suspect detection condition satisfied by the suspect traffic is generated as the suspect signature.
- the attack detection unit 13 detects an attack, the attack detection unit 13 generates a normal signature together with the suspect signature. Specifically, referring to the normal condition shown in Fig. 5, the AND condition with the suspect signature is taken for every record of the normal condition, and this is generated as a normal signature.
- This normal signature is a force that is a signature used to allow a regular packet whose suspect signature power is also a regular user's communication packet.
- the attack detection unit 13 when detecting traffic that matches any of the patterns of the illegal traffic conditions shown in Fig. 4, the attack detection unit 13 generates an illegal signature for limiting the illegal traffic. Specifically, the source IP of the packet that satisfies the detected illegal traffic conditions An address is specified as an illegal address range, and a condition that the address is within the illegal address range and matches the suspect signature is generated as an illegal signature.
- the suspect signature, the normal signature, and the illegal signature generated by the attack detection unit 13 described above are registered in the signature list 16a by the processing of the priority order determination unit 15 described later.
- signatures registered in the signature list 16a saliva signatures, regular signatures, and unauthorized signatures
- the signature communication unit 14 described later is used.
- signatures received from adjacent relay devices and signatures newly set signatures or modified signatures in which the network administrator's capabilities are also input via the input unit 17.
- a signature communication unit 14 is a processing unit that transmits the signature generated by the attack detection unit 13 to the adjacent relay device and receives the signature transmitted from the adjacent relay device.
- the priority order determination unit 15 is configured by a network administrator via a signature registered in a signature list 16a (to be described later) (a signature received by the signature communication unit 14, a signature generated by the attack detection unit 13, and an input unit 17). It is a processing unit that determines the priority for the set signature).
- the signature list 16 a representing the result of determining the priority order is created, and the created signature list 16 a is registered in the filter unit 16.
- the signature includes restriction information for limiting the bandwidth when a specific packet flows in.
- the signature list 16a will be described with reference to FIG.
- FIG. 6 is a diagram showing an example of information stored in the signature list 16a.
- the type of signature includes the setting signature set by the network administrator, the automatically generated signature automatically generated by the relay device 10 (the signature received by the signature communication unit 14 and the attack detection unit 13).
- an illegal signature for restricting invalid packets, a regular signature for permitting valid packets, and a suspected attack packet are restricted. Can be divided into suspicion for signing.
- the priority order determination unit 15 has a higher priority in the “setting signature” than in the “automatic generation signature” that is automatically generated.
- the priority order of signatures to be registered in the signature list 16a is determined.
- the priority ranking determination unit 15 makes the priority of “illegal signature” higher than that of “regular signature” or “suspect signature”, and moreover than “suspect signature”.
- the priority order of signatures to be registered in the signature list 16a is determined so that the priority level of “regular signatures” is higher. Specifically, in the example of FIG. 6, it means that the lower the priority associated with the signature, the higher the priority, and the set signature (Signature A and Signature B), the unauthorized signature (Signature). C), normal signature (Signature D), and suspect signature (Signature E and Signature F) in this order.
- the priority order determination unit 15 includes restriction information included in each signature.
- the priority order is determined according to the contents of. As a specific example, the priority of the signature is increased as the signature bandwidth limit (the bandwidth allowed to pass if the packet is included in the bandwidth limit) is smaller.
- the priority order determination unit 15 increases the priorities of a plurality of signatures within the same type (for example, regular signatures not including restriction information) in the order in which they are input to the signature list 16a. It may be. Furthermore, even if the restricted bandwidth is the same for multiple signatures within the same type, the priority may be increased in the order entered in the signature list 16a.
- the priority order determination unit 15 determines the signature received by the signature communication unit 14, the signature generated by the attack detection unit 13, and the input unit 17 based on the signature type, the bandwidth limit, and the like. The priority order is determined for the signature set by the network administrator via. Then, the priority order determination unit 15 registers the signatures to which priority is given to the signature list 16a.
- the filter unit 16 accepts a packet received by the network interface unit 11, and controls the passage of the packet (output of the packet from the network interface unit 11) based on the signature list 16a. Is a processing unit. Specifically, the filter unit 16 corresponds to one of the “illegal signature”, “regular signature”, and “suspect signature” registered in the signature list 16a for the input packet (or any However, more specifically, the signatures are selected in order from the highest priority (priority) according to the strength of the signature registered in the signature list 16a. It is determined whether or not the force corresponds to the signature. In other words, in the example shown in FIG. 6, the signature A force is selected in the order of signature F in the order of signature F.
- the filter unit 16 inputs the packet to a predetermined queue described later, or Packet passing is controlled based on the contents of the selected signature, such as discarding, but after powerful control, processing for signatures with a lower priority than the signature used for this control is not performed.
- the filter unit 16 filters the packet based on the signature C. Processes corresponding to illegal signatures such as input to a predetermined queue or discarding, and in packets thus controlled, signature D has a lower priority than signature C, and signature D is the signature. Do not process with F! /.
- the filter unit 16 inputs the packet corresponding to the illegal signature to the illegal queue for processing the illegal packet, and the packet corresponding to the suspected signature is the suspect user. Packets that are entered into the suspect queue for use and that fall under the normal signature or packets that do not fall into any of the signatures are entered into the normal queue for the legitimate user.
- the filter unit 16 outputs the packet input to the regular queue from the network interface unit 11 without limiting the transmission band, and the packet input to the suspect queue and the illegal queue to the respective signatures. (Limited according to the transmission bandwidth limit value indicated by the signature selected as satisfying the condition) and output.
- the filter unit 16 cancels the signature that satisfies the predetermined release determination criterion. Then, based on the canceled signature, the processing for controlling the passage of the packet is stopped.
- FIG. 7 is a flowchart showing the processing procedure when an attack suspect packet is detected.
- step S1 when the attack detection unit 13 of the relay device 10 detects the attack suspect traffic based on the attack suspect detection condition table 13a shown in FIG. 3 (step S1), the suspect signature and A normal signature is generated (step S2). Then, the priority order determination unit 15 accepts the suspect signature and the normal signature generated by the attack detection unit 13, and determines the priority order of the signature (step S3).
- the priority order determination unit 15 determines the priority of the regular signature higher than that of the suspect signature, and when there are multiple signatures corresponding to the type of the suspect signature, The smaller the bandwidth of the restriction information contained in the signature, the higher the priority of the signature is determined. Further, the priority of the suspect signature and the regular signature generated by the attack detection unit 13 is determined so that the priority of the setting signature already registered in the signature list 16a is higher.
- the priority order determination unit 15 creates a signature list 16a representing the result of determining the priority order, and registers the created signature list 16a in the filter unit 16 (step S4). Further, the signature communication unit 14 transmits the signature generated by the attack detection unit 13 (in this embodiment, the suspect signature and the normal condition) to the adjacent relay device (step S5). Note that, as will be described later, the priority determination unit 15 not only detects attack suspected traffic, but also when the signature communication unit 14 receives a signature from another relay device 10 or the network administrator inputs the signature. In this case, the priority order is similarly determined.
- FIG. 8 is a flowchart showing a processing procedure when receiving a signature.
- the signature communication unit 14 of the relay device 10 receives a signature or the like (in this embodiment, a suspect signature and normal conditions) transmitted from an adjacent relay device (step S11), an attack is performed.
- the detection unit 13 generates a normal signature based on the normal condition received by the signature communication unit 14 (step S12).
- the priority order determination unit 15 accepts the suspect signature received by the signature communication unit 14 and the normal signature generated by the attack detection unit 13 and determines the priority order of the signature (step S 13).
- the priority determination method is the same as that used when detecting the suspected attack packet described above.
- the priority of the regular signature is determined to be higher than that of the suspect signature, and if there are multiple signatures corresponding to the type of the suspect signature, the smaller the bandwidth of the restriction information contained in each signature, the smaller the bandwidth , Decide the priority of signature high. Furthermore, the priority of the normal signature generated by the suspect signature and the attack detection unit 13 received by the adjacent relay device force is determined so that the priority of the setting signature already registered in the signature list 16a is higher. .
- the priority order determination unit 15 creates a signature list 16a representing the result of determining the priority order, and registers the created signature list 16a in the filter unit 16 (step S14). Further, the signature communication unit 14 transmits the signature etc. (in the present embodiment, the received suspect signature and normal condition) that also received the adjacent relay device power to the adjacent relay device (step S15).
- FIG. 9 is a flowchart showing a processing procedure when an illegal packet is detected.
- the attack detection unit 13 of the relay apparatus 10 detects unauthorized traffic based on the unauthorized traffic condition detection table 13b shown in FIG. 4 (step S21), it generates an unauthorized signature. (Step S22). Then, the priority order determination unit 15 receives the illegal signature generated by the attack detection unit 13 and determines the priority order of the signature (step S23).
- the priority order determining unit 15 is configured so that the setting signature already registered in the signature list 16a has a higher priority, and has already been registered in the signature list 16a.
- the priority of the illegal signature generated by the attack detection unit 13 is determined so that the priority is higher than that of the suspect signature or the regular signature. Furthermore, if there are multiple signatures corresponding to the type of unauthorized signature, The priority of the signature is determined higher as the bandwidth of the restriction information included in the receiver is smaller.
- the priority order determination unit 15 creates a signature list 16a representing the result of determining the priority order, and registers the created signature list 16a in the filter unit 16 (step S24). Note that the priority order determination unit 15 sets the input unit 17 from the network administrator in addition to detecting suspected attack traffic, receiving a signature from another relay device 10, or detecting an illegal packet. Even if the signature is input via the network administrator, the priority order of the signature set by the network administrator is determined according to the above-described priority determination method.
- priorities are determined for the signatures registered in the signature list 16a, and the signatures are selected in order from the highest priority. Since the passage of packets is controlled based on the signatures, packets can be processed in a desired order when there are multiple signatures.
- the setting signature is given higher priority than the automatically generated signature, so that the setting signature set by the network administrator is used preferentially for packet control. As a result, the control intended by the network administrator can be preferentially performed.
- the restriction range is strict, and a higher priority is assigned to the signature. Therefore, the bandwidth of the restriction information included in the signature is strict, and as a result of being used for packet control with higher priority than the signature, it becomes possible to process the packet reliably without causing any contradiction in packet control.
- the priority order is determined such that the priority level of “regular signature” is higher than that of “suspect signature”, but the present invention is limited to this. “Suspect Signature” has higher priority than “Regular Signature”.
- the priority order may be determined. That is, the priority determination method described in the above embodiment is merely an example, and the present invention is not limited to this, and the present invention is similarly applied when other priority determination methods are adopted. Can be applied.
- “suspicion signature” is always generated when an attack is detected, and when “suspect signature” is generated or when “suspicion signature” is received from another relay apparatus, Although the case where “regular signature” is generated has been described, the present invention is not limited to this, and it is possible to generate “regular signature” without generating “suspect signature” or to receive “suspect signature”. It may be possible to generate “regular signatures” instead of ⁇
- each component of each device illustrated in the above embodiment is functionally conceptual, and is not necessarily physically configured as illustrated. This is not necessary.
- the specific form of distribution and integration of the relay device 10 is not limited to the one shown in the figure, and all or part of the relay device 10 can be functionally functioned in arbitrary units according to various loads and usage conditions. Physically distributed 'can be integrated and configured.
- all or a part of each processing function performed in the relay device 10 is realized by a CPU and a program that is analyzed and executed by the CPU, or hardware by wire logic. It can be realized as wear.
- each device for example, relay device 10
- Each function of each device is programmed in a computer such as a personal computer or a workstation. It can also be realized by executing.
- the various processing procedures described in the first embodiment can be realized by executing a prepared program on a computer.
- These programs can be distributed via a network such as the Internet.
- these programs are recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD, and are executed by reading the recording medium force by the computer. You can also.
- a CD-ROM storing the relay device program as shown in the embodiment may be distributed, and each computer may read and execute the program stored on the CD-ROM. Good.
- the relay device, the relay method, the relay program, and the network attack defense system according to the present invention are useful for controlling the passage of packets on the network based on the signature for controlling the passage of packets.
- it is suitable for processing packets in a desired order even when there are a plurality of signatures.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006540853A JPWO2006040895A1 (ja) | 2004-10-12 | 2005-09-09 | 中継装置、中継方法および中継プログラム並びにネットワーク攻撃防御システム |
EP05782015A EP1802057A1 (en) | 2004-10-12 | 2005-09-09 | Repeater, repeating method, repeating program, network attack defensing system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004298246 | 2004-10-12 | ||
JP2004-298246 | 2004-10-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006040895A1 true WO2006040895A1 (ja) | 2006-04-20 |
Family
ID=36148197
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/016666 WO2006040895A1 (ja) | 2004-10-12 | 2005-09-09 | 中継装置、中継方法および中継プログラム並びにネットワーク攻撃防御システム |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1802057A1 (ja) |
JP (1) | JPWO2006040895A1 (ja) |
KR (1) | KR20060060671A (ja) |
CN (1) | CN1879372A (ja) |
WO (1) | WO2006040895A1 (ja) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100937217B1 (ko) * | 2007-12-07 | 2010-01-20 | 한국전자통신연구원 | 시그니처 최적화 시스템 및 방법 |
KR101444908B1 (ko) * | 2013-01-08 | 2014-09-26 | 주식회사 시큐아이 | 시그니처를 저장하는 보안 장치 및 그것의 동작 방법 |
KR101580417B1 (ko) * | 2014-12-30 | 2016-01-04 | 고려대학교 산학협력단 | 시그니쳐 리스트 정렬 방법 |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003283554A (ja) * | 2002-03-22 | 2003-10-03 | Nippon Telegr & Teleph Corp <Ntt> | 分散型サービス不能攻撃防止方法及びゲート装置、通信装置ならびにプログラム |
-
2005
- 2005-09-09 CN CNA2005800006581A patent/CN1879372A/zh active Pending
- 2005-09-09 WO PCT/JP2005/016666 patent/WO2006040895A1/ja not_active Application Discontinuation
- 2005-09-09 EP EP05782015A patent/EP1802057A1/en not_active Withdrawn
- 2005-09-09 JP JP2006540853A patent/JPWO2006040895A1/ja active Pending
- 2005-09-09 KR KR1020067002305A patent/KR20060060671A/ko active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003283554A (ja) * | 2002-03-22 | 2003-10-03 | Nippon Telegr & Teleph Corp <Ntt> | 分散型サービス不能攻撃防止方法及びゲート装置、通信装置ならびにプログラム |
Non-Patent Citations (1)
Title |
---|
MORIKAWA Y, ET AL.: "Active Network Gijutsu o Riyo shita DDoS Kogeki Taisaku System no Kochiku Oyobi Hyoka", INFORMATION PROCESSING SOCIETY OF JAPAN KENKYU HOKOKU, vol. 2002, no. 68, 19 July 2002 (2002-07-19), pages 69 - 75, XP002999514 * |
Also Published As
Publication number | Publication date |
---|---|
CN1879372A (zh) | 2006-12-13 |
JPWO2006040895A1 (ja) | 2008-05-15 |
EP1802057A1 (en) | 2007-06-27 |
KR20060060671A (ko) | 2006-06-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10084825B1 (en) | Reducing redundant operations performed by members of a cooperative security fabric | |
US20070166051A1 (en) | Repeater, repeating method, repeating program, and network attack defending system | |
US20060037075A1 (en) | Dynamic network detection system and method | |
US20060026679A1 (en) | System and method of characterizing and managing electronic traffic | |
WO2002101516A2 (en) | Method and apparatus for distributed network security | |
EP1668511A2 (en) | System and method for dynamic distribution of intrusion signatures | |
EP1804447A1 (en) | Protect device, protect method, protect program, and network attack protect system | |
WO2006040895A1 (ja) | 中継装置、中継方法および中継プログラム並びにネットワーク攻撃防御システム | |
JP2009182728A (ja) | 試験装置 | |
JP2009181226A (ja) | ファイアウォール装置 | |
JP2009182725A (ja) | 監視装置 | |
JP2009182713A (ja) | 試験装置 | |
JP2009188573A (ja) | 経路情報管理装置 | |
JP2009188576A (ja) | 試験装置 | |
JP2009182474A (ja) | ファイアウォール装置 | |
JP2009182723A (ja) | 監視装置 | |
JP2009164711A (ja) | ボット検出装置 | |
JP2009182710A (ja) | ピア・ツー・ピア通信制御装置 | |
EP2040437A2 (en) | Distributed ISP system for the inspection and elimination of eThreats in a multi-path environment | |
JP2009188559A (ja) | ルータ装置 | |
JP2009182520A (ja) | 不正侵入防止装置 | |
JP2009182727A (ja) | 監視装置 | |
JP2009182712A (ja) | ピア・ツー・ピア通信制御装置 | |
JP2009188569A (ja) | 経路情報管理装置 | |
JP2009182514A (ja) | 不正侵入防止装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200580000658.1 Country of ref document: CN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006540853 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020067002305 Country of ref document: KR Ref document number: 2005782015 Country of ref document: EP |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
WWP | Wipo information: published in national office |
Ref document number: 1020067002305 Country of ref document: KR |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 2005782015 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2005782015 Country of ref document: EP |